隐藏@ Url.Action中的参数

Question

I have this code

<a href="@Url.Action(" Edicao ", "EdicaoListaVerificacao ", new { idFormulario = m.Id })" title="Editar" class="glyphicon glyphicon-pencil" aria-hidden="true" />

Where 'Edit' is my action and 'FunctionEdit' is my Controller. My action needs a parameter and I passed it building a 'instance'. How the property needs. The problem is that the URL can be altered and the user can access things that they can't.

Answer 1

You can never hide your URLs - nor should you. You should verify, instead, inside the Edicao action method that the user has permission to view the Formulario with the specified Id .

In all web applications, you have to assume that the URLs users try to retrieve can be absolutely anything - and that some users will attempt to edit URLs to get at hidden content. ASP.NET has built-in authentication and authorization mechanisms that you should use.

If you're just looking for a simple way to make a URL that's impossible to guess , without forcing users to log on, you have to use something more complicated than a numeric ID, like a GUID.

And if at any point you are tempted by roll-your-own solutions such as URL referrer checking or verifying cookies, remember that easier-to-use solutions are most likely built into ASP.NET already.

Answer 2

That's it! Thank you, guys. I found a way to implement a check in my action. With Request.UrlReferrer .

 public ActionResult Edicao(int idFormulario)
        {
            Uri url = Request.UrlReferrer;

            if (url != null)
            {

               DO ALL THINGS YOU HAVE TO

            }
            else
            {
                RETURN TO INDEX
            }

        }

The Request.UrlReferrer returns me the URL if it comes from my request. If not returns null . Than I just build an if block ;). Thank you guys!